What’s New
- New vulnerability pottentially affecting all USB devices. At BlackHat 2014, Karsten Nohl and Jakob Lell gave a presentation on what they called BadUSB, a vulnerability at the core of USB devices that allows an attacker to literally reprogram pretty much any USB device so that it can be used for evil. The code for the exploit was not released at Black Hat but was later released at Derbycon in Kentucky and is now being spotted ‘in the wild’. At this time there is no defense against BadUSB and, to make matters worse, there is no way to detect it. It’s not realistic to tell people “don’t use USB devices at all” but there are a few things that you can do to mitigate the risk until a method for detecting the threat is made available:
- Do not buy / use pre-owned USB devices. Only buy USB devices new, in the box. It’s worth noting here that there have been cases of USB devices being ‘pre loaded’ with malware in the past, so this isn’t a sure thing, but it’s a good practice nonetheless.
- Only use trusted USB devices in your computer. Do not blindly accept USB devices from friends, neighbors, vendors, etc. This includes the ‘free USB keys’ that folks love to give away at trade shows.
- Don’t leave your USB devices available and unattended. It doesn’t take long to reprogram a USB device using BadUSB and, once it’s done, the victim would likely never know that it had happened.
- Additional information is available at SRLabs, Digital Trends and Mashable.
- Get off your can and do what you can. I’m excited about our program to refurbish previously loved Windows XP workstations with Ubuntu Linux and getting them in the hands of folks that otherwise would not have a computer. In case you missed it, here are the details of the program, but the short story is that if you or someone that you know doesn’t have a computer but would like one, we are giving away working computers pre-loaded with Ubuntu Linux. These are computers that had Windows XP installed but were not upgraded (for whatever reason) to Windows 7 but will run Ubuntu Linux just fine. These are first-come, first-served.
- JP Morgan Chase Breach? Another month brings notification of another massive data breach. This time it was JP Morgan Chase. Reports indicate that approximately 76 million households and 7 million businesses were affected and that the information leaked included phone numbers and emails but no account information. If that’s the case, expect phone and email phishing and or spear phishing attacks as a result (“Yes, this is Bob with JP Morgan calling regarding your account. We show that there are some irregularities but, before we can discuss it with you, we need to verify your information”). As with the Home Depot breach and the Target breach before that, I don’t think that this is going to slow down anytime soon. Some ways to mitigate the damage include:
- Keep an eye on your credit report (Clark Howard has some good info on doing that on his website).
- Don’t use the same password for everything.
- Use a password manager like Keepass (free) to keep up with your passwords and to generate long, complex passwords.
- Use caution with email. Don’t click on links and do not send sensitive information via email.
- Use caution when accepting calls reporting to be from vendors you use. If they request any sensitive information, get their name and tell them that you’re going to call right back. Call the actual vendor’s number on your bill. If it was them, there should be no problem. If it wasn’t them, you just saved yourself some trouble.
- Are you backing up (repost)? I mentioned this last month (and the month prior) but, especially with the continued growth of ransomware like Cryptolocker, Synolocker, etc., it’s worth mentioning again. If you’re not storing anything important (pictures that you want to keep, documents, business data, etc.), backups aren’t something that you need to worry about. If you are though (keeping digital pictures, documents, business data, etc.), you *need* to be backing it up and a backup IS NOT a $4 thumb drive that you got on sale at Staples. Those are transient storage, not a backup. If you’re going to use local storage for a backup, get an actual disk (or a pair of disks and alternate). We recommend (and use) CrashPlan Pro for our backups. It’s easy to use, they offer a 30 day free trial, they have an app for your smartphone (Did my backup run? Let me check, yup, there’s that file that I created earlier today) and they support roll-your-own encryption so you’ve got less to worry about regarding privacy. All of that plus their tech support rocks. Simple. Cheap. Easy. Done.
Updates
Microsoft – According to the Advanced Notification of October 2014, there are a total of 9 bulletins with 3 listed as critical, 1 as Moderate and the remaining 5 listed as important. The critical bulletins address vulnerabilities that can allow remote code execution (someone can install software onto your computer without your permission or knowledge). The moderate bulletin addresses a bug that can allow a user to gain higher level access to your computer than they should. The important bulletins range from remote code execution to privilege escalation (allowing a user or process / program to run with administrative privileges without the administrative password) and security feature bypass (bypassing specific security features). Most of the updates require a reboot and should be installed as soon as testing permits. The updates address issues in Windows, Internet Explorer, Office, Developer Tools and the .NET Framework.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here.
Adobe – The last update from Adobe as of the time of this newsletter was on 16 September and it addressed a vulnerability in Reader and Acrobat. I expect additional updates on Tuesday, but we won’t know for certain until then.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here.
Java – The most up-to-date release version of Java, as of the time of this newsletter, is Java 7 update 67. I’m not sure if this is because attackers have found another target (e.g., Windows XP and / or Internet Explorer) or if Oracle has all of the holes plugged, but I’m inclined to say kudos to Oracle this time either way.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.